OWASP 2025 Global AppSec EU

Download the complete training outline: AI Whiteboard Hacking Training Details

Testimonial: "After years evaluating security trainings at Black Hat, including Toreon's Whiteboard Hacking sessions, I can say this AI threat modeling course stands out. The hands-on approach and flow are exceptional - it's a must-attend."
- Daniel Cuthbert, Global Head of Cyber Security Research, Black Hat Review Board Member

In today's rapidly evolving AI landscape, security threats like prompt injection and data poisoning pose significant risks to AI systems. Our 3-day AI Whiteboard Hacking training equips you with practical skills to identify, assess, and mitigate AI-specific security threats using our proven DICE methodology. Through hands-on exercises and real-world scenarios, you'll learn to build secure AI systems while ensuring compliance with regulations like the EU AI Act.

The training concludes with an engaging red team/blue team wargame where you'll put theory into practice by attacking and defending a rogue AI research assistant. Upon completion, you'll earn the AI Threat Modeling Practitioner Certificate and gain access to a year-long subscription featuring quarterly masterclasses, expert Q&A sessions, and continuously updated resources.

Led by Sebastien Deleersnyder, co-founder and CTO of Toreon, and Black Hat trainer, this training combines technical expertise with practical insights gained from real-world projects across government, finance, healthcare, and technology sectors.

Quick Overview:
·       Target Audience: AI Engineers, Software Engineers, Solution Architects, Security Professionals
·       Prerequisites: Basic understanding of AI concepts (pre-training materials provided)
·       Certification: AI Threat Modeling Practitioner Certificate
·       Bonus: 1-year AI Threat Modeling Subscription included

Our lineup of the hands-on exercises from the training that let you put AI security concepts into practice:
Day 1: Foundations & Methodology
·       "AI Security Headlines from the Future" - Explore potential security scenarios
·       "Diagramming the AI Assistant Infrastructure" - Map out real AI system components
·       "Identification of STRIDE-AI threats for UrbanFlow" - Apply threat modeling to urban systems
· "Autonomous Vehicle System Attack Tree Analysis" - Build attack scenarios

Day 2: Implementation & Defense
·       "The Curious Chatbot Challenge (Injection)" - Hands-on prompt injection threats
·       "Applying OWASP AI Exchange on a RAG-powered CareBot" - Real-world threat library application
·       "AI Security Architecture Building Blocks Workshop" - Design secure AI systems
· "AI Risk Assessment: Autonomous Healthcare Robots" - Evaluate real-world AI risks

Day 3: Advanced Concepts & Practical Application
·       "Ethics in Action - The FairCredit AI Incident" - Navigate ethical AI challenges
·       "Data minimization and secure data handling for AI agents" - Implement privacy-by-design
·       "Mapping attacks and controls in an MLOps pipeline" - Secure the AI development lifecycle
·       "Project Prometheus: The Rogue AI Research Assistant" - Red Team/Blue Team wargame finale

Download the complete training outline: AI Whiteboard Hacking Training Details

Core Modules
00-00 Intro to App Security
00-01 Input Validation Basics
00-02 HTTP Security Basics
00-03 SOP and CORS
00-04 API and REST Security
00-05 Microservice Security
00-06 JSON Web Tokens
00-07 SQL and Other Injections
00-08 Cross-Site Request Forgery - CSRF Defenses for Various Architectures
00-09 File Upload and File I/O Security - Secure File Upload, File I/O Security
00-10 Deserialization Security - Safe Deserialization Practices
00-11 Artificial Intelligence Security - Securing AI Implementations, Full Course
00-12 Third-Party Library Security Management - Ensuring Third-Party Library Security
00-13 Introduction to Cloud Security - Basics of Cloud Security Management
00-14 Intro to iOS and Android Security - Mobile Security Fundamentals

Standards
01-00 OWASP Top Ten - Top Ten Web Security Risks
01-01 Intro to GDPR - European Data Privacy Law
01-02 OWASP ASVS - Comprehensive Secure Coding Standard
01-03 OWASP Top Ten Proactive Controls - Web Security Defense Categories
01-04 PCI Secure SDLC Standard - Credit Card SDLC Requirements

User Interface Security
02-00 XSS Defense - Client-Side Web Security
02-01 Content Security Policy - Advanced Client-Side Web Security
02-02 Content Spoofing and HTML Hacking - HTML Client-Side Injection Attacks
02-03 React Security - Secure React Application Development
02-04 Vue.js Security - Secure Vue.js Application Development
02-05 Angular and AngularJS Security - Secure Angular App Development
02-06 Clickjacking - UI Redress Attack Defense

Identity & Access Management
03-01 Authentication Best Practices - Web Authentication Practices
03-02 Session Management Best Practices - Web Session Management Practices
03-03 Multi-Factor Authentication - NIST SP-800-63 Compliant MFA Implementation
03-04 Secure Password Policy and Storage - Secure User Password Policy and Storage
03-05 Access Control Design - ABAC/Capabilities-Based Access Control
03-06 OAuth2 Security - OAuth2 Authorization Protocol
03-07 OpenID Connect Security - OpenID Connect Federation Protocol

Crypto Modules
04-00 Secrets Management - Key and Credential Storage Strategies
04-01 HTTPS/TLS Best Practices - Transport Security Introduction
04-02 Cryptography Fundamentals - Part 1 - Terminology, Steganography, Attacks, Kerchoff's Principle, PFC
04-03 Cryptography Fundamentals - Part 2 - Hash Functions, Symmetric Cryptography, Randomness, Digital Signatures

Process
05-00 DevOps Best Practices - DevOps and DevSecOps with a CD/CI Focus
05-01 Secure SDLC and AppSec Management - Managing Secure Software Processes

Additional Topics
06-00 User and Helpdesk Awareness Training - Security Awareness for Non-Technical Staff
06-01 Social Engineering for Developers - Developer Protection Against Social Engineering
06-02 App Layer Intrusion Detection - Detecting App Layer Attacks
06-03 Threat Modeling Fundamentals - Security Design via Threat Modeling
06-04 Forms and Workflows Security - Secure Handling of Complex Forms
06-05 Java 8/9/10/11/12/13+ Security Controls - Java Security Advances
06-06 Logging and Monitoring Security - Security-Focused Logging
06-07 Subdomain Takeover - Preventing Subdomain Takeover Scenarios
06-08 Laravel and PHP Security - Focus on PHP Security

Lab Options
07-00 Competitive Web Hacking LABS - Hands-on Web Hacking Labs
07-01 Competitive API Hacking LABS - Hands-on API Hacking Labs
07-02 Secure Coding Knowledge LABS - Hands-on Secure Coding Labs

You bought the application security tools, you have the findings, but now what? Many organisations find themselves drowning in "possible vulnerabilities", struggling to streamline their processes and not sure how to measure their progress.

If you are involved in using SAST, DAST or SCA tools in your organisation, these may be familiar feelings to you.

In this course, which is being refreshed and updated for 2025, you will learn how to address these problems and more (in a vendor-neutral way)

For 2025, we are putting a particular emphasis on practicality and activities which bring value with topics including the following:

• Customising the tools to focus on your needs
• Building tool processes which fit your business
• Automating workflows using CI/CD without slowing it down
• Showing the value and improvements you are making
• Finding ways to scale triage to cut down noise
• Focusing on fixing what matters in your situation
• Advantages and disadvantages of alternative forms of remediation
• Comparison of the different tool types covered and which you may want to use in different situations.
• The use of Vulnerability Aggregation and ASPMs

To bring the course to life and let you apply what you learn, you will work in teams on table-top exercises where you design processes to cover specific scenarios, explain and justify your decisions to simulated stakeholders and practice prioritising your remediation efforts.

For these exercises, you will work based on specially designed process templates (which we will provide) which you can use afterwards to apply these improvements within your own organisation.

Be ready to work in a group, take part in discussions and present your findings and leave the course with clear strategies and ideas on how to get less stress and more value from these tools.

Download the complete training outline: AI Whiteboard Hacking Training Details

Testimonial: "After years evaluating security trainings at Black Hat, including Toreon's Whiteboard Hacking sessions, I can say this AI threat modeling course stands out. The hands-on approach and flow are exceptional - it's a must-attend."
- Daniel Cuthbert, Global Head of Cyber Security Research, Black Hat Review Board Member

In today's rapidly evolving AI landscape, security threats like prompt injection and data poisoning pose significant risks to AI systems. Our 3-day AI Whiteboard Hacking training equips you with practical skills to identify, assess, and mitigate AI-specific security threats using our proven DICE methodology. Through hands-on exercises and real-world scenarios, you'll learn to build secure AI systems while ensuring compliance with regulations like the EU AI Act.

The training concludes with an engaging red team/blue team wargame where you'll put theory into practice by attacking and defending a rogue AI research assistant. Upon completion, you'll earn the AI Threat Modeling Practitioner Certificate and gain access to a year-long subscription featuring quarterly masterclasses, expert Q&A sessions, and continuously updated resources.

Led by Sebastien Deleersnyder, co-founder and CTO of Toreon, and Black Hat trainer, this training combines technical expertise with practical insights gained from real-world projects across government, finance, healthcare, and technology sectors.

Quick Overview:
·       Target Audience: AI Engineers, Software Engineers, Solution Architects, Security Professionals
·       Prerequisites: Basic understanding of AI concepts (pre-training materials provided)
·       Certification: AI Threat Modeling Practitioner Certificate
·       Bonus: 1-year AI Threat Modeling Subscription included

Our lineup of the hands-on exercises from the training that let you put AI security concepts into practice:
Day 1: Foundations & Methodology
·       "AI Security Headlines from the Future" - Explore potential security scenarios
·       "Diagramming the AI Assistant Infrastructure" - Map out real AI system components
·       "Identification of STRIDE-AI threats for UrbanFlow" - Apply threat modeling to urban systems
· "Autonomous Vehicle System Attack Tree Analysis" - Build attack scenarios

Day 2: Implementation & Defense
·       "The Curious Chatbot Challenge (Injection)" - Hands-on prompt injection threats
·       "Applying OWASP AI Exchange on a RAG-powered CareBot" - Real-world threat library application
·       "AI Security Architecture Building Blocks Workshop" - Design secure AI systems
· "AI Risk Assessment: Autonomous Healthcare Robots" - Evaluate real-world AI risks

Day 3: Advanced Concepts & Practical Application
·       "Ethics in Action - The FairCredit AI Incident" - Navigate ethical AI challenges
·       "Data minimization and secure data handling for AI agents" - Implement privacy-by-design
·       "Mapping attacks and controls in an MLOps pipeline" - Secure the AI development lifecycle
·       "Project Prometheus: The Rogue AI Research Assistant" - Red Team/Blue Team wargame finale

Download the complete training outline: AI Whiteboard Hacking Training Details

Core Modules
00-00 Intro to App Security
00-01 Input Validation Basics
00-02 HTTP Security Basics
00-03 SOP and CORS
00-04 API and REST Security
00-05 Microservice Security
00-06 JSON Web Tokens
00-07 SQL and Other Injections
00-08 Cross-Site Request Forgery - CSRF Defenses for Various Architectures
00-09 File Upload and File I/O Security - Secure File Upload, File I/O Security
00-10 Deserialization Security - Safe Deserialization Practices
00-11 Artificial Intelligence Security - Securing AI Implementations, Full Course
00-12 Third-Party Library Security Management - Ensuring Third-Party Library Security
00-13 Introduction to Cloud Security - Basics of Cloud Security Management
00-14 Intro to iOS and Android Security - Mobile Security Fundamentals

Standards
01-00 OWASP Top Ten - Top Ten Web Security Risks
01-01 Intro to GDPR - European Data Privacy Law
01-02 OWASP ASVS - Comprehensive Secure Coding Standard
01-03 OWASP Top Ten Proactive Controls - Web Security Defense Categories
01-04 PCI Secure SDLC Standard - Credit Card SDLC Requirements

User Interface Security
02-00 XSS Defense - Client-Side Web Security
02-01 Content Security Policy - Advanced Client-Side Web Security
02-02 Content Spoofing and HTML Hacking - HTML Client-Side Injection Attacks
02-03 React Security - Secure React Application Development
02-04 Vue.js Security - Secure Vue.js Application Development
02-05 Angular and AngularJS Security - Secure Angular App Development
02-06 Clickjacking - UI Redress Attack Defense

Identity & Access Management
03-01 Authentication Best Practices - Web Authentication Practices
03-02 Session Management Best Practices - Web Session Management Practices
03-03 Multi-Factor Authentication - NIST SP-800-63 Compliant MFA Implementation
03-04 Secure Password Policy and Storage - Secure User Password Policy and Storage
03-05 Access Control Design - ABAC/Capabilities-Based Access Control
03-06 OAuth2 Security - OAuth2 Authorization Protocol
03-07 OpenID Connect Security - OpenID Connect Federation Protocol

Crypto Modules
04-00 Secrets Management - Key and Credential Storage Strategies
04-01 HTTPS/TLS Best Practices - Transport Security Introduction
04-02 Cryptography Fundamentals - Part 1 - Terminology, Steganography, Attacks, Kerchoff's Principle, PFC
04-03 Cryptography Fundamentals - Part 2 - Hash Functions, Symmetric Cryptography, Randomness, Digital Signatures

Process
05-00 DevOps Best Practices - DevOps and DevSecOps with a CD/CI Focus
05-01 Secure SDLC and AppSec Management - Managing Secure Software Processes

Additional Topics
06-00 User and Helpdesk Awareness Training - Security Awareness for Non-Technical Staff
06-01 Social Engineering for Developers - Developer Protection Against Social Engineering
06-02 App Layer Intrusion Detection - Detecting App Layer Attacks
06-03 Threat Modeling Fundamentals - Security Design via Threat Modeling
06-04 Forms and Workflows Security - Secure Handling of Complex Forms
06-05 Java 8/9/10/11/12/13+ Security Controls - Java Security Advances
06-06 Logging and Monitoring Security - Security-Focused Logging
06-07 Subdomain Takeover - Preventing Subdomain Takeover Scenarios
06-08 Laravel and PHP Security - Focus on PHP Security

Lab Options
07-00 Competitive Web Hacking LABS - Hands-on Web Hacking Labs
07-01 Competitive API Hacking LABS - Hands-on API Hacking Labs
07-02 Secure Coding Knowledge LABS - Hands-on Secure Coding Labs

You bought the application security tools, you have the findings, but now what? Many organisations find themselves drowning in "possible vulnerabilities", struggling to streamline their processes and not sure how to measure their progress.

If you are involved in using SAST, DAST or SCA tools in your organisation, these may be familiar feelings to you.

In this course, which is being refreshed and updated for 2025, you will learn how to address these problems and more (in a vendor-neutral way)

For 2025, we are putting a particular emphasis on practicality and activities which bring value with topics including the following:

• Customising the tools to focus on your needs
• Building tool processes which fit your business
• Automating workflows using CI/CD without slowing it down
• Showing the value and improvements you are making
• Finding ways to scale triage to cut down noise
• Focusing on fixing what matters in your situation
• Advantages and disadvantages of alternative forms of remediation
• Comparison of the different tool types covered and which you may want to use in different situations.
• The use of Vulnerability Aggregation and ASPMs

To bring the course to life and let you apply what you learn, you will work in teams on table-top exercises where you design processes to cover specific scenarios, explain and justify your decisions to simulated stakeholders and practice prioritising your remediation efforts.

For these exercises, you will work based on specially designed process templates (which we will provide) which you can use afterwards to apply these improvements within your own organisation.

Be ready to work in a group, take part in discussions and present your findings and leave the course with clear strategies and ideas on how to get less stress and more value from these tools.

Download the complete training outline: AI Whiteboard Hacking Training Details

Testimonial: "After years evaluating security trainings at Black Hat, including Toreon's Whiteboard Hacking sessions, I can say this AI threat modeling course stands out. The hands-on approach and flow are exceptional - it's a must-attend."
- Daniel Cuthbert, Global Head of Cyber Security Research, Black Hat Review Board Member

In today's rapidly evolving AI landscape, security threats like prompt injection and data poisoning pose significant risks to AI systems. Our 3-day AI Whiteboard Hacking training equips you with practical skills to identify, assess, and mitigate AI-specific security threats using our proven DICE methodology. Through hands-on exercises and real-world scenarios, you'll learn to build secure AI systems while ensuring compliance with regulations like the EU AI Act.

The training concludes with an engaging red team/blue team wargame where you'll put theory into practice by attacking and defending a rogue AI research assistant. Upon completion, you'll earn the AI Threat Modeling Practitioner Certificate and gain access to a year-long subscription featuring quarterly masterclasses, expert Q&A sessions, and continuously updated resources.

Led by Sebastien Deleersnyder, co-founder and CTO of Toreon, and Black Hat trainer, this training combines technical expertise with practical insights gained from real-world projects across government, finance, healthcare, and technology sectors.

Quick Overview:
·       Target Audience: AI Engineers, Software Engineers, Solution Architects, Security Professionals
·       Prerequisites: Basic understanding of AI concepts (pre-training materials provided)
·       Certification: AI Threat Modeling Practitioner Certificate
·       Bonus: 1-year AI Threat Modeling Subscription included

Our lineup of the hands-on exercises from the training that let you put AI security concepts into practice:
Day 1: Foundations & Methodology
·       "AI Security Headlines from the Future" - Explore potential security scenarios
·       "Diagramming the AI Assistant Infrastructure" - Map out real AI system components
·       "Identification of STRIDE-AI threats for UrbanFlow" - Apply threat modeling to urban systems
· "Autonomous Vehicle System Attack Tree Analysis" - Build attack scenarios

Day 2: Implementation & Defense
·       "The Curious Chatbot Challenge (Injection)" - Hands-on prompt injection threats
·       "Applying OWASP AI Exchange on a RAG-powered CareBot" - Real-world threat library application
·       "AI Security Architecture Building Blocks Workshop" - Design secure AI systems
· "AI Risk Assessment: Autonomous Healthcare Robots" - Evaluate real-world AI risks

Day 3: Advanced Concepts & Practical Application
·       "Ethics in Action - The FairCredit AI Incident" - Navigate ethical AI challenges
·       "Data minimization and secure data handling for AI agents" - Implement privacy-by-design
·       "Mapping attacks and controls in an MLOps pipeline" - Secure the AI development lifecycle
·       "Project Prometheus: The Rogue AI Research Assistant" - Red Team/Blue Team wargame finale

Download the complete training outline: AI Whiteboard Hacking Training Details